¿Entornos de Sandbox que realicen análisis en código javascript ofuscado? [cerrado]

2

¿Hay entornos de recinto de seguridad que realicen análisis en código javascript ofuscado?

Por ejemplo, tengo una pieza de código JS ofuscado que se ejecuta a la perfección, pero es imposible desenmascararlo (lo probé en varios sitios).

Quiero saber qué variables se han leído con esto y qué operaciones se han realizado en los datos generados.

¿Es esto posible?

Para aquellos que preguntan sobre el código:

<script>var
_0x4c36=['w6rChcKeWsKXw7TCocOlNF8Kw7bCuMKdKsOWTMKjF2A=','V3PClhXDu8OCCMO5WwbCp8KhD8KVw7LDo8KOwr7CiA==','w6saBzVaIwbDk8OqHMKGwpvDgzzCixMTMMOL','w5HClUhaw5TDlQM6GVJMS8KmD8KYXTfCgynCtxU=','w6rDkRl2ehcFDcOVVBpibHlAIG4IKcOq','wr3Co8K0QsOGGsO2WcOHDMKpwoxSVGJKc8OHMBbCgivDnA==','WMKMQXbCpAzCpcOJP0HCkSXCuTQP','ZcOXAsOfw5rChMOGVsOESXEI','w6LDu2h7wrAwFcON','w6Ikw4nClFQZw5RHw5Rvwo/DhcKGacO8','w7V9wrrDrkEaMcOVaWbDv8Ka','w5LDqwtPahEeEsOSUzFy','w7PDkcOBUcK+w7U=','XcKpw7LDgW7DglZ+','RcKzwqc2RcOEH2vDhw==','dsKZw4/DnHvDg0x0wqdPZg==','w6HDhsOqaH7CrMOSw5I=','dMOFw6DCiQ==','F8O8w5o7LmbCsgA=','QcK0w4TDkw==','wpXCg8ODOcKow5DColY=','w7pqwqvDiQ==','w7DDmcOuVsKTw5LDrg==','w5Uvw4vCr8OIVAZLw6zCn0HCuEk=','dWLCjxM=','eMOGwpbDgDPCjFzCs8KubV4geW/Cvg==','wozCuErDo8KlBsODUQc=','w4IoZMK5w5s=','w4lTHA==','w4bCrsKbVsKbw7fCusOqOw==','w6JEwrjCgTvCjRdYIcOjw5hZYSZr','w7jDh8O6VsKFw7nDi8ONw4nCrjE=','wpXCicOOP8Kow5E=','w5PDvBBjXQ0NCcOzSSFy','RQ7CvcO3O2fDhsK6w5fCgg==','w6VDwrrChhXChx1JJcO7','w6ouw4TChk0U','wpbDtMOJw613HDA=','w5PDsUDDohvDlsKE','KMKGZ8KbccON','w6PDjMO7U8Kpw640wq8=','wpbDtMOdw754HTHChg==','wo4NT8KFwowHw5B0wrciwqI=','RWI6Un7DvhxXwptFaw==','w6XDsVdqwqwwDsOH','wopbwpBEQWLCiWbDkCd8','w6Jwwq/DgUEBLg==','D8O8w6ouKGbCswk=','wpAGQ8KEwowmw4N4wqI=','w6rCicKMU8KQw77CusO5L2Uxw63CmMK0GcOfWsKtEWE5wrM=','w5dGbMO4J8Kxw4oAwpjChzgS','wrgQRMKMwpshw5xowr0=','V3PCkhXDtcODFMO5WA7CisKbCsKXw6zDv8Kfwr7CssKFw5U='];(function(_0x2566b1,_0x524125){var
_0x1212d5=function(_0x2b1926){while(--_0x2b1926){_0x2566b1['push'](_0x2566b1['shift']());}};_0x1212d5(++_0x524125);}(_0x4c36,0x15e));var
_0x1060=function(_0x2d8f05,_0x4b81bb){_0x2d8f05=_0x2d8f05-0x0;var _0x4d74cb=_0x4c36[_0x2d8f05];if(_0x1060['ZyRSGR']===undefined){(function(){var
_0x36c6a6=function(){var _0x33748d;try{_0x33748d=Function('return\x20(function()\x20'+'{}.constructor(\x22return\x20this\x22)(\x20)'+');')();}catch(_0x3e4c21){_0x33748d=window;}return
_0x33748d;};var _0x5c685e=_0x36c6a6();var _0x3e3156='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';_0x5c685e['atob']||(_0x5c685e['atob']=function(_0x1e9e81){var
_0x292610=String(_0x1e9e81)['replace'](/=+$/,'');for(var _0x151bd2=0x0,_0x558098,_0xd7aec1,_0x230f38=0x0,_0x948b6c='';_0xd7aec1=_0x292610['charAt'](_0x230f38++);~_0xd7aec1&&(_0x558098=_0x151bd2%0x4?_0x558098*0x40+_0xd7aec1:_0xd7aec1,_0x151bd2++%0x4)?_0x948b6c+=String['fromCharCode'](0xff&_0x558098>>(-0x2*_0x151bd2&0x6)):0x0){_0xd7aec1=_0x3e3156['indexOf'](_0xd7aec1);}return _0x948b6c;});}());var _0x29929c=function(_0x5dd881,_0x4b81bb){var _0x18d5c9=[],_0x4ce2f1=0x0,_0x333808,_0x432180='',_0x2ab90b='';_0x5dd881=atob(_0x5dd881);for(var
_0x991246=0x0,_0x981158=_0x5dd881['length'];_0x991246<_0x981158;_0x991246++){_0x2ab90b+='%'+('00'+_0x5dd881['charCodeAt'](_0x991246)['toString'](0x10))['slice'](-0x2);}_0x5dd881=decodeURIComponent(_0x2ab90b);for(var
_0x57b080=0x0;_0x57b080<0x100;_0x57b080++){_0x18d5c9[_0x57b080]=_0x57b080;}for(_0x57b080=0x0;_0x57b080<0x100;_0x57b080++){_0x4ce2f1=(_0x4ce2f1+_0x18d5c9[_0x57b080]+_0x4b81bb['charCodeAt'](_0x57b080%_0x4b81bb['length']))%0x100;_0x333808=_0x18d5c9[_0x57b080];_0x18d5c9[_0x57b080]=_0x18d5c9[_0x4ce2f1];_0x18d5c9[_0x4ce2f1]=_0x333808;}_0x57b080=0x0;_0x4ce2f1=0x0;for(var
_0x219af0=0x0;_0x219af0<_0x5dd881['length'];_0x219af0++){_0x57b080=(_0x57b080+0x1)%0x100;_0x4ce2f1=(_0x4ce2f1+_0x18d5c9[_0x57b080])%0x100;_0x333808=_0x18d5c9[_0x57b080];_0x18d5c9[_0x57b080]=_0x18d5c9[_0x4ce2f1];_0x18d5c9[_0x4ce2f1]=_0x333808;_0x432180+=String['fromCharCode'](_0x5dd881['charCodeAt'](_0x219af0)^_0x18d5c9[(_0x18d5c9[_0x57b080]+_0x18d5c9[_0x4ce2f1])%0x100]);}return
_0x432180;};_0x1060['Pjsvdu']=_0x29929c;_0x1060['vLOTlN']={};_0x1060['ZyRSGR']=!![];}var
_0x441e3a=_0x1060['vLOTlN'][_0x2d8f05];if(_0x441e3a===undefined){if(_0x1060['DuRerv']===undefined){_0x1060['DuRerv']=!![];}_0x4d74cb=_0x1060['Pjsvdu'](_0x4d74cb,_0x4b81bb);_0x1060['vLOTlN'][_0x2d8f05]=_0x4d74cb;}else{_0x4d74cb=_0x441e3a;}return
_0x4d74cb;};function enc(_0xf00bfa,_0x38d001){var _0x3bf9f7='';for(var _0x551157=0x0;_0x551157<_0xf00bfa[_0x1060('0x0','N^4o')];_0x551157++){_0x3bf9f7+=String[_0x1060('0x1','#ij$')](_0xf00bfa[_0x1060('0x2','V(s$')](_0x551157)^_0x38d001[_0x1060('0x3','vSXv')](_0x551157%_0x38d001[_0x1060('0x4','s@Ce')]));}return
_0x3bf9f7;}var a=[navigator['userAgent'],new Date(),(navigator[_0x1060('0x5','XHP5')]instanceof PluginArray?navigator[_0x1060('0x6','H#g9')][_0x1060('0x7','YFnJ')]:0x0)[_0x1060('0x8','^G*e')](),navigator[_0x1060('0x9','XHP5')],window[_0x1060('0xa','mPj%')]['toString'](),window[_0x1060('0xb','dvzq')][_0x1060('0xc','Yk&1')](),(_0x1060('0xd','M3FO')in window||'_phantom'in window||_0x1060('0xe','RmJ7')in window)[_0x1060('0xf','#Hws')](),(_0x1060('0x10','mPj%')in window||_0x1060('0x11','6uL5')in window||_0x1060('0x12','4(ga')in window||_0x1060('0x13','mPj%')in window||_0x1060('0x14',']eFZ')in document||'__driver_evaluate'in document||_0x1060('0x15','6uL5')in document||_0x1060('0x16',']eFZ')in document||_0x1060('0x17','hSFx')in document||'__driver_unwrapped'in document||_0x1060('0x18','tUlI')in document||'__selenium_unwrapped'in document||_0x1060('0x19','#ij$')in document||_0x1060('0x1a','&d04')in document||document[_0x1060('0x1b','O91g')][_0x1060('0x1c','#!^O')](_0x1060('0x1d','Yk&1'))!==null||document[_0x1060('0x1e','s@Ce')][_0x1060('0x1f','RmJ7')]('webdriver')!==null||document['documentElement'][_0x1060('0x20','#ij$')](_0x1060('0x21','^G*e'))!==null)[_0x1060('0x22','WiT#')](),(_0x1060('0x23','G]pe')in navigator)['toString'](),(!!window[_0x1060('0x24','WiT#')])[_0x1060('0x25','P!LY')](),window['location'][_0x1060('0x26','pBo%')]['indexOf']('?')===-0x1?'':window[_0x1060('0x27','#Hws')][_0x1060('0x28','WiT#')]['substring'](window[_0x1060('0x29','N^4o')][_0x1060('0x2a','RmJ7')][_0x1060('0x2b','QIdi')]('?')+0x1)];var b=document[_0x1060('0x2c','Nasw')]('script');b[_0x1060('0x2d','5G6)')]=_0x1060('0x2e','0SYn');var c="cmljx14.js?rbmcpgy=";var k="cmljx14";b[_0x1060('0x31','DnJH')]=c+btoa(enc(JSON[_0x1060('0x32','6uL5')](a),k));document[_0x1060('0x33','vSXv')][_0x1060('0x34','QIdi')](b);</script>
    
pregunta Hot dog 12.09.2018 - 03:55
fuente

1 respuesta

0

Algunas veces necesitas hacer esto por tu cuenta, también es más desafiante y divertido. En el siguiente ejemplo, solo tomo la variable _0x4c36, que es una lista, itero y decodifico la base64 y desensamblo el código (solo pego el primer elemento de la lista)

('w6rChcKeWsKXw7TCocOlNF8Kw7bCuMKdKsOWTMKjF2A=', '\xc3\xaa\xc2\x85\xc2\x9eZ\xc2\x97\xc3\xb4\xc2\xa1\xc3\xa54_\n\xc3\xb6\xc2\xb8\xc2\x9d*\xc3\x96L\xc2\xa3\x17'')
00000000: c3                               RET
00000001: aa                               STOSB
00000002: c285c2                           RET 0xc285
00000005: 9e                               SAHF
00000006: 5a                               POP RDX
00000007: c297c3                           RET 0xc397
0000000a: b4c2                             MOV AH, 0xc2
0000000c: a1c3a5345f0ac3b6c2               MOV EAX, [0xc2b6c30a5f34a5c3]
00000015: b8c29d2ac3                       MOV EAX, 0xc32a9dc2
0000001a: 96                               XCHG ESI, EAX
0000001b: 4cc2a317                         RET 0x17a3
0000001f: 60                               DB 0x60

Y el código de Python que hace el trabajo

import base64
import distorm3

for i in variable_0x4c36:
    code = base64.b64decode(i)
    print(i, code)
    iterable = distorm3.DecodeGenerator(0, code, distorm3.Decode64Bits)
    for (offset, size, instruction, hexdump) in iterable:
        print("%.8x: %-32s %s" % (offset, hexdump, instruction))

Parece un poco sospechoso que todos los buffers se desarmen desde mi punto de vista.

    
respondido por el camp0 12.09.2018 - 09:54
fuente

Lea otras preguntas en las etiquetas